The SecuriTea News - Issue #2

Every Friday the Weekly SecuriTEA Report brings you the latest week’s trending information security news. Read on and join the conversation.

Companies are starting to face record fines. Remember the huge Facebook privacy scandal that happened a few years ago? If you need a refresher see this article from the NY Times but the tl:dr is: the data of about 87 millions users was shared improperly with Cambridge Analytica and possibly helped sway the US elections. Well the FTC (Federal Trade Commission) has finally reached a settlement and the tech giant is looking at a fine of almost $5 billion dollars. It is set to be the largest fine ever given, surpassing the $22.5 million Google fine in 2012. It hasn’t been finalized yet since it still needs to be reviewed by the Department of Justice but if the number is correct it presents a huge wake-up call to companies who aren’t taking privacy seriously. Users companies expect for their data to not be ethically compromised, used without consent and protected. The fall-out of this scandal, as well as the most recent GDPR going after Marriott for their data breach, is starting to cost.

Airdrop bomb scare. If you have an iPhone, you are familiar with how convenient the Apple feature, AirDrop, is. AirDrop allows anyone to send data - be it website, contact or photo - to anyone else with AirDrop turned on within a range of about 30 feet. You can change this setting (which I highly recommend) to only receive messages from friends, or you can choose to receive content “from everybody.” Well someone took it too far this past weekend when they decided to send pictures of a suicide bomb vest to users who had their Airdrop settings set to "everybody". This occurred right before take-off, causing the pilots to declare an emergency evacuation to remove passengers and cargo. Luckily, nothing was found and no one was hurt but just shows the potential disruptions that can occur from simple settings being on such as Bluetooth.

Looking to get paid? If you are in the field of offensive security and have some serious skills Google is looking to pay you for their Bug Bounty program. A Bug Bounty program is one where a company pays individuals to find flaws in their products, software, or services. So in simple terms...they pay you to hack them! They've doubled their pay-out from $15,000 to $30,000 (you read that right) for "high-quality reports" of flaws in Google Chrome. The company has also increased pay-outs for Google-Play remote execution vulnerabilities (from $5,000 to $20,000) and is even offering a whopping $150,000 for exploits that can compromise their Chromebook or Chromebox. Google increasing the pay-outs come at a good time in the fight against cybercrime. Private sector companies offer large amounts of money for finding vulnerabilities in companies such as Google, so Google is upping the ante in making sure they can find them first. You can read more about their program here.

If you use Slack you might have to reset your passwords! Four years ago Slack suffered a data breach in which attackers accessed a database that gave them user profile information and encrypted passwords. As the aftermath of that breach is still being investigated it has been revealed that the attackers have also "inserted code that allowed them to capture plaintext passwords as they were entered by users at the time". What this means is that the attacker could see what password you were typing in to login and this password is now compromised. It is always advised to never reuse passwords across different accounts but in reality many users are not familiar with the tools to keep passwords safe. If you suspect you are one of these users, or have received communications from Slack regarding this, please change your passwords and associated account passwords immediately!

Bluetooth in the brain? As we all know technology is ever evolving. This is seen even more so when it comes to Tesla founder Elon Musk. He recently revealed an idea to embed Blue-tooth enabled implants into the brain to enable disabled persons to regain motor and cognitive function. The implants, named Neuralinks, are tiny chips that would be interconnected with the brain’s organic neural network via 1,000 wispy wires measuring one-tenth the width of a human hair. These chips would be implanted via robot and the chip itself will seal the hole after the procedure. The idea is that stroke victims, cancer patients, paralyzed persons and others would be able reap the benefits of a direct neuronal connection linking a patient’s brain to, say, an iPhone — enabling the patient to control it without having to tap, speak, type or swipe. While this idea isn't new and the thought behind it sounds wonderful, and requires FDA approval, it has raised a ton of security red flags. The chip would be connected via a smart-phone app and introduces a vast number of known Blue-tooth attacks, not to mention data and privacy concerns. This development could be tested as soon as end of 2020 so it will be interesting to see how technology like this pans out.

And that's a wrap for your Weekly SecuriTea Report. Be sure to check out the latest every week for the latest in Information Security News.